CVE-2018-9248
published 2018-04-04CVE-2018-9248: FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via a "Cookie: Name=0admin" header.
PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.25%
96.4th percentile
FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via a "Cookie: Name=0admin" header.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests containing the hardcoded bypass cookie 'Name=0admin' in the Cookie header, which grants unauthenticated access to the FiberHome HG 150-UB admin interface. ↗
- →The device's HTTP response to unauthenticated requests returns two concatenated HTTP/1.1 200 responses — the first containing 'Set-Cookie: Name=; path=/' and a redirect to login.html, followed immediately by the actual homepage content. Detecting this malformed double-response pattern can identify vulnerable devices. ↗
- →Server banner 'micro_httpd' in HTTP responses can help fingerprint FiberHome HG 150-UB devices exposed to this authentication bypass. ↗
- ·The bypass relies on a hardcoded, plaintext cookie value. The default gateway IP 192.168.10.1 is used in the exploit but may vary per deployment; the cookie-based bypass applies regardless of the device's IP address. ↗
- ·A second bypass vector exists via response-splitting/improper session handling: stripping the redirect JavaScript from the first HTTP response body grants access without any cookie manipulation, making cookie-only detection insufficient to cover all attack paths. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-04-04
Published